Cross-site scripting bug - Java sample

js/samples/quickstart-java/pom.xml

@@ -32,9 +32,9 @@
     </dependency>
 
     <dependency>
-      <groupId>com.google.code.gson</groupId>
-      <artifactId>gson</artifactId>
-      <version>2.8.9</version>
+      <groupId>org.owasp.encoder</groupId>
+      <artifactId>encoder</artifactId>
+      <version>1.2.3</version>
     </dependency>
 
   </dependencies>

js/samples/quickstart-java/src/main/java/Microsoft/ImmersiveReader/GetAuthTokenServlet.java

@@ -5,8 +5,7 @@ import javax.servlet.http.*;
 import java.io.*;
 import java.net.HttpURLConnection;
 import java.net.URL;
-import com.google.gson.JsonObject;
-import com.google.gson.JsonParser;
+import org.owasp.encoder.Encode;
 
 public class GetAuthTokenServlet extends HttpServlet {
 
@@ -27,11 +26,10 @@ public class GetAuthTokenServlet extends HttpServlet {
         }
 
         String token = getToken();
-        httpServletResponse.setContentType("application/json");
-        JsonObject tokenJson = JsonParser.parseString(token).getAsJsonObject();
+        String sanitizedToken = Encode.forJava(token);
 
         PrintWriter writer = httpServletResponse.getWriter();
-        writer.write(tokenJson.toString());
+        writer.write(sanitizedToken);
         writer.flush();
     }
 

js/samples/quickstart-java/src/main/webapp/resources/helpers.js

@@ -4,10 +4,15 @@ function getTokenAsync() {
       url: "/getAuthTokenServlet",
       type: "GET",
       success: function (response) {
-        const data = response;
+        let data = response;
         if (data.error) {
           reject(data.error);
         } else {
+          // decode token
+          const decodedData = data
+              .replace(/\\"/g, '"')   // Unescape escaped quotes
+              .replace(/\\\\/g, '\\'); // Unescape escaped backslashes
+          data = JSON.parse(decodedData);
           const token = data["access_token"];
           resolve({ token });
         }